The effect of information security certification announcements on the market value of the firm

  • Jason K. Deane
  • David M. GoldbergEmail author
  • Terry R. Rakes
  • Loren P. Rees


Information security management has increasingly been recognized as one of the major business challenges of the last decade. While security research has widely recognized that breaches are detrimental to business value, the other side of the equation has received little attention. The literature on the value impact of proactive financial investments into information security management infrastructure and policy is very limited. Unlike most information technology investments, reinforcements to information security management programs suggest a reduction of a firm’s risk of damages in future attacks rather than an improvement in a firm’s revenue generation. Furthermore, contemporary information security management represents a process-based shift in a firm’s operations. In light of the unique information security risks faced by modern firms, we posit several hypotheses related to the value created from information security management program investments. We then present an empirical examination of the effects of information security management program investments on shareholder value. We use a firm’s successful completion of the ISO 27001 certification requirements as evidence of its commitment to developing a robust information security management program. Based on 111 public announcements, we find that the associated abnormal stock market reaction is both positive and statistically significant. We further control for firms’ industries, sizes, and dates of certification, and we find that they all affect the mean abnormal returns observed. This study demonstrates the capacity for information security management program investments to generate value for firms and further offers guidance for practitioners seeking to maximize shareholder value.


Information security Event study Security investments Cybersecurity ISO 27001 



  1. 1.
    Chen Y, Ramamurthy K, Wen K-W (2012) Organizations’ information security policy compliance: stick or carrot approach? J Manag Inf Syst 29:157–188CrossRefGoogle Scholar
  2. 2.
    Rainer RK Jr, Snyder CA, Carr HH (1991) Risk analysis for information technology. J Manag Inf Syst 8:129–147CrossRefGoogle Scholar
  3. 3.
    Ligato L (2015) The 9 biggest data breaches of all time. Huffington PostGoogle Scholar
  4. 4.
    Volz D, Hosenball M (2016) Concerned by cyber threat. Obama seeks big increase in funding. Reuters, LondonGoogle Scholar
  5. 5.
    Campbell K, Gordon LA, Loeb MP, Zhou L (2003) The economic cost of publicly announced information security breaches: empirical evidence from the stock market. J Comput Secur 11:431–448CrossRefGoogle Scholar
  6. 6.
    Cavusoglu H, Mishra B, Raghunathan S (2004) The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. Int J Electron Commer 9:70–104CrossRefGoogle Scholar
  7. 7.
    Garg A, Curtis J, Halper H (2003) Quantifying the financial impact of IT security breaches. Inf Manag Comput Secur 11:74–83CrossRefGoogle Scholar
  8. 8.
    Kannan K, Rees J, Sridhar S (2007) Market reactions to information security breach announcements: an empirical analysis. Int J Electron Commer 12:69–91CrossRefGoogle Scholar
  9. 9.
    Malhotra A, Malhotra CK (2010) Evaluating customer information breaches as service failures: an event study approach. J Serv Res 14:44–59CrossRefGoogle Scholar
  10. 10.
    Dos Santos BL, Peffers K, Mauer DC (1993) The impact of information technology investment announcements on the market value of the firm. Inf Syst Res 4:1–23CrossRefGoogle Scholar
  11. 11.
    Im KS, Dow KE, Grover V (2001) Research report: a reexamination of IT investment and the market value of the firm—an event study methodology. Inf Syst Res 12:103–117CrossRefGoogle Scholar
  12. 12.
    Von Solms R, Van Niekerk J (2013) From information security to cyber security. Comput Secur 38:97–102CrossRefGoogle Scholar
  13. 13.
    Chai S, Kim M, Rao HR (2011) Firms’ information security investment decisions: stock market evidence of investors’ behavior. Decis Support Syst 50:651–661CrossRefGoogle Scholar
  14. 14.
    Fama EF, Fisher L, Jensen MC, Roll R (1969) The adjustment of stock prices to new information. Int Econ Rev 10:1–21CrossRefGoogle Scholar
  15. 15.
    Boehmer W (2008) Appraisal of the effectiveness and efficiency of an information security management system based on ISO 27001. In: The second international conference on emerging security information, systems and technologies. IEEE, pp 224–231Google Scholar
  16. 16.
    Brenner J (2007) ISO 27001: risk management and compliance. Risk Manag 54:24Google Scholar
  17. 17.
    Susanto H, Almunawar MN, Tuan YC (2011) Information security management system standards: a comparative study of the big five. Int J Electr Comput Sci 11:23–29Google Scholar
  18. 18.
    Hendricks KB, Singhal VR (1996) Quality awards and the market value of the firm: an empirical investigation. Manage Sci 42:415–436CrossRefGoogle Scholar
  19. 19.
    Verizon (2015) 2015 data breach investigations reportGoogle Scholar
  20. 20.
    Sen R, Borle S (2015) Estimating the contextual risk of data breach: an empirical approach. J Manag Inf Syst 32:314–341CrossRefGoogle Scholar
  21. 21.
    Zhao X, Xue L, Whinston AB (2013) Managing interdependent information security risks: cyberinsurance, managed security services, and risk pooling arrangements. J Manag Inf Syst 30:123–152CrossRefGoogle Scholar
  22. 22.
    Png IP, Wang C-Y, Wang Q-H (2008) The deterrent and displacement effects of information security enforcement: international evidence. J Manag Inf Syst 25:125–144CrossRefGoogle Scholar
  23. 23.
    Kumar RL, Park S, Subramaniam C (2008) Understanding the value of countermeasure portfolios in information systems security. J Manag Inf Syst 25:241–280CrossRefGoogle Scholar
  24. 24.
    Yue WT, Cakanyildirim M (2007) Intrusion prevention in information systems: reactive and proactive responses. J Manag Inf Syst 24:329–353CrossRefGoogle Scholar
  25. 25.
    Udo GJ (2001) Privacy and security concerns as major barriers for e-commerce: a survey study. Inf Manag Comput Secur 9:165–174CrossRefGoogle Scholar
  26. 26.
    Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q 34:523–548CrossRefGoogle Scholar
  27. 27.
    Whitman ME (2003) Enemy at the gate: threats to information security. Commun ACM 46:91–95CrossRefGoogle Scholar
  28. 28.
    Straub DW, Welke RJ (1998) Coping with systems risk: security planning models for management decision making. MIS Q 22:441–469CrossRefGoogle Scholar
  29. 29.
    Gupta A, Zhdanov D (2012) Growth and sustainability of managed security services networks: an economic perspective. MIS Q 36:1109–1130CrossRefGoogle Scholar
  30. 30.
    Wang C, Clark A (2013) HTC employees detained amid trade-secret investigation. Bloomberg, New YorkGoogle Scholar
  31. 31.
    Snider M (2013) Target data breach spurs lawsuits, investigations. USA Today, New YorkGoogle Scholar
  32. 32.
    Workman M, Bommer WH, Straub D (2008) Security lapses and the omission of information security measures: a threat control model and empirical test. Comput Hum Behav 24:2799–2816CrossRefGoogle Scholar
  33. 33.
    Kwon J, Johnson ME (2014) Proactive versus reactive security investments in the healthcare sector. MIS Q 38:451–471CrossRefGoogle Scholar
  34. 34.
    Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inf Syst Secur 5:438–457CrossRefGoogle Scholar
  35. 35.
    Agrawal M, Kishore R, Rao HR (2006) Market reactions to e-business outsourcing announcements: an event study. Inf Manag 43:861–873CrossRefGoogle Scholar
  36. 36.
    Wang N, Liang H, Jia Y, Ge S, Xue Y, Wang Z (2016) Cloud computing research in the IS discipline: a citation/co-citation analysis. Decis Support Syst 86:35–47CrossRefGoogle Scholar
  37. 37.
    Broadbent M (1998) Leveraging the new infrastructure: how market leaders capitalize on information technology. Harvard Business Press, BrightonGoogle Scholar
  38. 38.
    Whitman ME, Mattord HJ (2011) Principles of information security. Cengage Learning, BostonGoogle Scholar
  39. 39.
    Kelly L (2016) Making a return on IT security investment. Computer Weekly, LondonGoogle Scholar
  40. 40.
    Otim S, Dow KE, Grover V, Wong JA (2012) The impact of information technology investments on downside risk of the firm: alternative measurement of the business value of IT. J Manag Inf Syst 29:159–194CrossRefGoogle Scholar
  41. 41.
    Wood CC (2004) Why information security is now multi-disciplinary, multi-departmental, and multi-organizational in nature. Comput Fraud Secur 2004:16–17CrossRefGoogle Scholar
  42. 42.
    Verry J (2016) The rising cost of the ISO 27001 certification. PivotPoint Security, TrentonGoogle Scholar
  43. 43.
    Porter ME, Millar VE (1985) How information gives you competitive advantage. Harvard Bus Rev 63:149–160Google Scholar
  44. 44.
    Brown LD, Hagerman RL, Griffin PA, Zmijewski ME (1987) An evaluation of alternative proxies for the market’s assessment of unexpected earnings. J Account Econ 9:159–193CrossRefGoogle Scholar
  45. 45.
    Symantec (2014) Internet security threat report 2014Google Scholar
  46. 46.
    Fisher A, Kent C, Zage D, Jarocki J (2015) Using linkography to understand cyberattacks. In: 2015 IEEE conference on communications and network security (CNS). IEEE, pp 290–298Google Scholar
  47. 47.
    Ziobro P (2014) Target earnings slide 46% after data breach. Wall Str JGoogle Scholar
  48. 48.
    McWilliams A, Siegel D (1997) Event studies in management research: theoretical and empirical issues. Acad Manag J 40:626–657Google Scholar
  49. 49.
    Brown SJ, Warner JB (1985) Using daily stock returns: the case of event studies. J Financ Econ 14:3–31CrossRefGoogle Scholar
  50. 50.
    Brown SJ, Warner JB (1980) Measuring security price performance. J Financ Econ 8:205–258CrossRefGoogle Scholar
  51. 51.
    Konchitchki Y, O’Leary DE (2011) Event study methodologies in information systems research. Int J Account Inf Syst 12:99–115CrossRefGoogle Scholar
  52. 52.
    Tanriverdi H, Uysal VB (2011) Cross-business information technology integration and acquirer value creation in corporate mergers and acquisitions. Inf Syst Res 22:703–720CrossRefGoogle Scholar
  53. 53.
    Dewan S, Ren F (2007) Risk and return of information technology initiatives: evidence from electronic commerce announcements. Inf Syst Res 18:370–394CrossRefGoogle Scholar
  54. 54.
    Mani D, Barua A, Whinston AB (2013) Outsourcing contracts and equity prices. Inf Syst Res 24:1028–1049CrossRefGoogle Scholar
  55. 55.
    Bose I, Leung ACM (2014) Do phishing alerts impact global corporations? A firm value analysis. Decis Support Syst 64:67–78CrossRefGoogle Scholar
  56. 56.
    Meng Z, Lee S-YT (2007) The value of IT to firms in a developing country in the catch-up process: an empirical comparison of China and the United States. Decis Support Syst 43:737–745CrossRefGoogle Scholar
  57. 57.
    Bose I, Pal R (2012) Do green supply chain management initiatives impact stock prices of firms? Decis Support Syst 52:624–634CrossRefGoogle Scholar
  58. 58.
    Bose I, Leung ACM (2013) The impact of adoption of identity theft countermeasures on firm value. Decis Support Syst 55:753–763CrossRefGoogle Scholar
  59. 59.
    Armitage S (1995) Event study methods and evidence on their performance. J Econ Surv 9:25–52CrossRefGoogle Scholar
  60. 60.
    Dodd P, Warner JB (1983) On corporate governance: a study of proxy contests. J Financ Econ 11:401–438CrossRefGoogle Scholar
  61. 61.
    Binder J (1998) The event study methodology since 1969. Rev Quant Financ Acc 11:111–137CrossRefGoogle Scholar
  62. 62.
    Kolari JW, Pynnonen S (2011) Nonparametric rank tests for event studies. J Empir Finance 18:953–971CrossRefGoogle Scholar
  63. 63.
    Fama EF, French KR (1993) Common risk factors in the returns on stocks and bonds. J Financ Econ 33:3–56CrossRefGoogle Scholar
  64. 64.
    Carhart MM (1997) On persistence in mutual fund performance. J Finance 52:57–82CrossRefGoogle Scholar
  65. 65.
    MacKinlay AC (1997) Event studies in economics and finance. J Econ Lit 35:13–39Google Scholar
  66. 66.
    Willi FS, Knolmayer GF (2009) The effects of outsourcing announcements on market values of Swiss firms: an event study. Springer, BerlinGoogle Scholar
  67. 67.
    Berkman H, Truong C (2009) Event day 0? After-hours earnings announcements. J Account Res 47:71–103CrossRefGoogle Scholar
  68. 68.
    Moeller SB, Schlingemann FP, Stulz RM (2004) Firm size and the gains from acquisitions. J Financ Econ 73:201–228CrossRefGoogle Scholar
  69. 69.
    Ranganathan C, Brown CV (2006) ERP investments and the market value of firms: toward an understanding of influential ERP project variables. Inf Syst Res 17:145–161CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Business Information Technology, Pamplin College of BusinessVirginia TechBlacksburgUSA

Personalised recommendations